Hi, thank you for your response. yes, corresponding interface on 35-2 was down. Yes, it's a good advise for a workaround to track the interface. We also thought about it. But we think, it is just a workaround, not a solution. In addition we have 10 standby groups and 65-02 is the active member for all of these groups. So we need to track the interface 1/1 within all standby groups. Does this makes sense? In our topology there must be a way to use the usual standby group rerouting and reswitching mechanisms, must it not? What we don't know is, what happens with packets (containing vlan1 and vlan2 addresses in source and destination) arriving on 65-01, if 65-01 is only the standby member for standby groups 1 and 2? What is its default behavior?
... View more
This is our topology: The two Nexus 7010 are our core switches. The two Catalyst 6509 "65-01" and "65-02" are our core routing devices. They provide the OSPF processes and standby groups for all our VLAN interfaces. VLAN 2 is our internet vlan. The ASA failover cluster is connected via two Catalyst 3550 switches to VLAN 2. "ASA-2" is the primary and active device. "65-02" is always the active member for all standby groups: 65-2#sho stand brief P indicates configured to preempt. | Interface Grp Prio P State Active addr Standby addr Group addr Vl1 1 110 P Active local 192.168.114.51 192.168.114.50 Vl2 2 110 P Active local 10.10.10.51 10.10.10.50 65-2#sho run int vlan 2 ! interface Vlan2 ip address 10.10.10.52 255.255.255.0 no ip redirects standby 2 ip 10.10.10.50 standby 2 priority 110 standby 2 preempt end 65-2#sho run int vlan 1 ! interface Vlan1 ip address 192.168.114.52 255.255.254.0 no ip redirects standby 1 ip 192.168.114.50 standby 1 priority 110 standby 1 preempt end On both "65-1" and "65-2" a default route is set and pointing to ASA failover cluster inside address 10.10.10.200: ip route 0.0.0.0 0.0.0.0 10.10.10.200 So, now the problem !!! yesterday interface 1/1 on "65-02" went down due to a malfunctioning line card. The primary active "ASA-2" stayed active and didn't make a failover to secondary ASA, because all local interface were still connected. OK The two standby groups 1 and 2 also probably stayed active on "65-02" and didn't switch over to "65-01". OK www was unreachable for all clients in VLAN 1, but also for all other clients. NOT OK !! After powering active ASA-2 off and ASA-1 becoming active, www was reachable again. ??? What could be the problem for it? After fixing the line card issue and switching back to ASA-2 as active device we tested a little. So, usually the MAC address of standby ASA-1 ip 10.10.10.254 is learned on "65-02" via Po3. OK After shutting down interface 1/1 on "65-01" manually the MAC was learned on "65-02" via interface 1/1, because the cross link between two "35-2" provides the mac to "65-02". OK So that part works. Could the way back (answer packets) from ASA to client in VLAN 1 be the problem? After a failure of int 1/1 on "65-02" all packets from ASA-2 to client arrive on "65-01", which is only standby member for VLAN interfaces? We have no ideas and are not allowed to test it again the hard way and shut interface 1/1 on "65-02" again. :-( Any ideas?
... View more